A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for applying a security policy to a network devices, the method comprising: performing an identification of a device connected to an access point; collecting audit information pertaining to the device, by querying network equipment; and applying a security policy that includes requirements pertaining to the identification and the audit information, the applying of the security policy taking place at a gatekeeper, wherein applying the security policy includes altering a data communication within the access point with respect to the device.
2. The method of claim 1 , wherein the applying of the security policy includes the gatekeeper granting, to the device, access to a subset of a protected network.
3. The method of claim 2 , wherein granting access includes assigning an access control list.
4. The method of claim 2 , wherein granting access includes assigning a VLAN.
5. The method of claim 1 , wherein performing the identification of the device includes identifying a user of the device.
6. The method of claim 1 , wherein performing the identification includes using an EAP protocol.
7. The method of claim 1 , wherein the security policy includes a requirement to have a required version of an application on the device.
8. The method of claim 1 , wherein the security policy includes a requirement pertaining to an operating system type on the device.
9. The method of claim 1 , wherein the security policy includes a limit on what other devices are coupled to the device.
10. The method of claim 1 , wherein the security policy includes a requirement pertaining to an operating system version on the device.
11. The method of claim 1 , wherein the security policy includes a requirement for a user of the device to enter a password.
12. The method of claim 1 , wherein the security policy includes a requirement for antivirus software running on the device.
13. The method of claim 1 , wherein the applying of the security policy includes the gatekeeper taking part in facilitating an update to a software application on the device.
14. The method of claim 1 , wherein the audit information includes information pertaining to an application on the device.
15. The method of claim 1 , wherein the audit information includes information pertaining to an operating system of the device.
16. The method of claim 1 , wherein the audit information includes information pertaining to security vulnerabilities on the device.
17. The method of claim 1 , wherein the audit information includes information pertaining to configuration of the device.
18. The method of claim 1 , wherein the audit information is obtained from network equipment to which the device is directly connected.
19. The method of claim 1 , wherein the audit information is obtained from network equipment to which the device is indirectly connected.
20. The method of claim 1 , wherein the audit information is obtained from a router to which the device is indirectly connected.
21. The method of claim 1 , further comprising collecting information by probing the device, the probing including sending a specific packet to the device and detecting the presence or absence of a response, the information collected by probing being used in applying the security policy.
22. The method of claim 1 , further comprising collecting information by probing the device, the probing including sending a specific packet to the device, receiving a response and examining contents of the response, the information collected by probing being used in applying the security policy.
23. The method of claim 1 , further comprising collecting information using an agent executing on the device, the information collected using the agent being used in applying the security policy.
24. The method of claim 1 , wherein the altering the data communication includes allowing access to a secure subset of a network from the device.
25. The method of claim 1 , wherein the audit information pertaining to the device includes audit data.
26. The method of claim 1 , wherein the audit information includes third party information.
27. A method for applying a security policy to a network device, the method comprising: performing an identification of a device connected to an access point; collecting information pertaining to the device from network equipment to which the device is directly or indirectly connected, by querying the network equipment; collecting information using an agent executing on the device; collecting information by probing the device, the probing including sending a specific packet to the device; and applying a security policy that includes requirements pertaining to the identification, the information collected using the agent, the information collected by probing and the audit information, the applying of the security policy taking place at a gatekeeper, wherein applying the security policy includes altering a data communication within the access point with respect to the device.
28. The method of claim 27 , wherein the probing further includes detecting the presence or absence of a response to the packet.
29. The method of claim 27 , wherein the probing further includes receiving a response to the packet and examining contents of the response.
30. A method for applying a security policy to a network device, the method comprising: performing an identification of a device connected to an access point; collecting audit information pertaining to the device from network equipment to which the device is directly or indirectly connected, by querying the network equipment; and applying a security policy that includes requirements pertaining to the identification and the audit information, the applying of the security policy taking place at a gatekeeper, wherein applying the security policy includes altering a data communication within the access point with respect to the device, wherein altering the data communication includes using a RADIUS protocol.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
June 14, 2012
February 11, 2014
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.